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Vulnerabilities  in  HMI  Software 


®  GE  Fanuc  Proficy  iFIX  4. 5/5.0 
®  Insecure  storage  of  passwords 
®  Authentication  bypass 

®  Allows  those  with  access  to  escalate  privileges  on 
the  SCADA  system 

•  Lower-level  personnel  with  physical  access 

•  Remote  attackers  with  access  via 
other/mainstream  exploits 


Case  Study:  iFIX 


Proficy  HMI/SCADA  -  iFIX  5.0 
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US  Cert  Vulnerability  Announcement  #310355 

http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2009-02-10-01  .pdf 


Insecure  Password  Storage 
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User’s  Full  Name  bash-3-2S  . /iflxpassdump.py  XTCOMPAT.UTL 


Username 


User 

_ 

Password 

Full  Name 

ADMIN 

[system 

ADMINISTRATOR 

GCLARK 

GC 

GEORGE 

CLARK?  5?  ?  Qt] 

GUEST 

GUEST 

GUEST 

ADMINISTRATOR 

L JONES 
PSMITH 
TWHITE 


MYPASS 

PSMITH1978 

JI74ERT 


LAURA  JONES?  5?  ?  0 
PETER  SMITHA?5??  0 
THOMAS  WHITE?  5?  ?  □ 


User  information/password  is  XOR’d  with  a  static  key  and  saved  to 
XTCOMPAT.UTL 

User  credentials  can  be  recovered  from  this  file 


Authentication  Bypass 


6ED1759F 
BED 17500 
6ED175A5 
BED 17508 
BED 17500 
6ED175AC 
6ED175B2 
6ED175B4 
BED175BA 
BED175BE 
BED 1 7500 
6ED175C2 
6ED175C7 


SHORT  SECMGR. 6ED175B4 


0  Authentication  is  performed  by  a  process  running  as  the  current  Windows  user 

0  A  copy  of  the  login  program  and  security  DLL  can  be  made,  modified,  and  used  to  log 

in  as  any  user  with  any  incorrect  password 

•  Single-byte  patch  to  the  DLL  to  branch  differently  after  comparing  passwords 


ministrator  L 


a 


Enter  an  Administator  user  name  and 
password;  or  leave  the  user  name 
blank  and  enter  the  default 
Administrator  password: 


User  Name: 
Password: 


More  violations  of  security 
principles  in  HMI  software. 


Challenge:  25295 


OK 

Cancel 

Administrator  Login 

II 

Locked-out  customers  may 
call  support  to  get  a 
response  to  the  “Challenge” 
Field 


Enter  an  Administator  user  name  and 
password;  or  leave  the  user  name 
blank  and  enter  the  default 
Administrator  password: 


User  Name: 
Password: 


Challenge:  25295 


OK 

Cancel 
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An  attacker  can  discover 
(on  their  own  time/systems) 
the  algorithm  used  for  challenge 
responses 


Administrator  Login 


Enter  an  Administator  user  name  and 
password^  or  leave  the  user  name 
blank  and  enter  the  default 
Administrator  password: 


Challenge:  25295 


Result: 

Attacker  is  logged  into  securit; 
server  as  the  default  admin 
account.  Can  grant/deny 
permissions,  add/remove 
users 


OK 


Cancel 


Response  is  first  8  characters 
)f  MD4(challenge) 

Easily  calculated  on  a 
nobile  device 
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Real-World  HMI  Security  Incident 

Texas  Hospital  Control  System  Incident 
early  July  2009 


late  June  to 
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SCADA  Communications 
Vulnerabilities 

®  PLC  Radios 

•  Freewave  900  MHz 

o  902-928  ISM  Unlicensed  band 
o  Point  to  Multi-Point  serial  over  wireless 

®  Attacks 

•  Scanning  for  radios 

o  NMAP-like  capability  for  PLC  radios 

•  Eavesdropping 

•  Denial  of  Service 


Student  Researcher:  Bradley  Reaves 


Discovery  Scans 


®  Determines: 

•  Existence  of  network 

•  Access  Control  (Network  Identifier  or  Serial 
Number) 

®  Network  Identifier  Scan 

•  12,288  combinations 

•  Scan  time:  6.4  secs/combo 

•  Max  runtime:  21.76  hours 


Discovery  Scans 
©Serial  Number  Scan 

•96,000  Combinations 
•Scan  Time:  1.7  secs/combo 
•  Max  runtime:  45.5  hours 


Infiltration  Scans 


®  Seeking  a  continuous,  unbroken 
connection 

®  Need  Frequency  Settings 
®  539,400  Legal  Combinations 
®  Can  scan  at  12s  /  combination 
®  Max  time:75  days 

®  +2.25  days  to  eliminate  false  positives 


Denial  of  Service 


®  If  our  rogue  slave  transmits 
continuously,  nothing  else  gets  through. 

•  cat  /dev/urandom  >  /dev/ttySO  brings  the 
whole  system  down 

®  This  can  be  deadly  in  a  PCS  system 

®  This  attack  mirrors  symptoms  seen  in 
the  Bellingham  incident 


Denial  of  Service 


Conclusions 


®  We  (our  lab,  vendors,  and  infrastructure) 
have  made  significant  progress  in  SCADA 
security. 

•  Lots  of  vulnerabilities 

•  Potential  for  serious  incidents 

•  Lack  of  applied  security  principles 

®  We  are  heading  in  the  right  direction 

•  Finding  vulnerabilities 

•  Averted  at  least  one  control  system  incident 

•  Mapping  out  where  these  principles  can  be 
applied,  and  educating  others 


